I want to be able to re-use the key role from this project in other projects so I can have custom playbooks, vaults, etc but I can't easily do that today because a requirements file requires the role to be the top level element in a repository.

Having this issue with a customer trying to adopt applier. We're having trouble figuring out how to insert the certificate data with format:

-----BEGIN CERTIFICATE-----
keydata
-----END CERTIFICATE-----

Into a parameter file such that it can be processed/applied into a route template. With a secret, this is simpler, because I can base64 and pass it in as raw secret data without line breaks, but since routes don't handle it the same way, we're struggling with it.

Does it make sense for the openshift-applier to support configmaps?

I believe the k8s_raw module is now in a place where we could adopt it in openshift-applier. There is also an oc_process module in openshift-ansible right now. Between the two, they should provide the functionality we need to remove the hard dependency on oc.

Obviously, the hosting of the process module in openshift-ansible is problematic, as that creates a new, fairly heavy dependency for applier, so we'll want to inquire as to the roadmap/vision for that module, and see if we can influence that. Currently I see no module that provides the process functionality in ansible proper.

reminder to me to push the docs for param directories

Remove 3.x tags since they have been moved to 2.x

With the growing consensus that projects should be split out into their own inventory, the remaining items I want to publish to a project should be able to be applied in parallel. Is there a native way we can do that in ansible. Could cut down execution time significantly on larger inventories (e.g. labs-ci-cd)

In some cases, when an OpenShift template has a all parameters set to a default value, and the default values are acceptable there's no need to specify a set of params (command line or file). Hence, the openshift-applier should support processing an inventory that only has a template specified but no params file.

The image uses sleep infinity, so if I user forgets to supply a command when running the container, they an unresponsive container that hangs and needs to be killed via docker rm or the like. Replacing with /bin/bash seems to be a bit more user friendly.

Thoughts?

When pulling from a url, I am seeing this:
oc process --local -f /tmp/ansible.QJzGsC/https://raw.githubusercontent.com/redhat- cop/cluster-lifecycle/v3.10.0/files/projectrequest/template.yml ... which is causing failures.

This was seen on v2.0.4

Older versions of OCP doesn't support the ignore_unknown_parameters flag, so this issue is to make it configurable to not set it at all.

Currently if you are a non cluster admin user and follow the instructions to change the action for a ProjectRequest to be create that works, but when you follow the instructions to do deprovission by setting provision=false you get an error about not being able to use apply.

There needs to be some way to either set the deprovission action or there needs to be more smarts in the provision=false logic so that if the action: create then the deprovission action will be delete.

Execution against a remote host fails

TASK [openshift-applier : set_fact] ********************************************************************************************************************************************************************************************************************************************
task path: /Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/roles/openshift-applier/tasks/process-template.yml:24
Wednesday 05 September 2018  07:39:02 -0500 (0:00:00.075)       0:00:16.707 *** 
 [WARNING]: Unable to find '/tmp/ansible.Eumfaq//Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/tests/inventories/molecule-multi-files-dir/../../files/multi-files-dir' in expected paths (use -vvvvv to see paths)

The result of the above does not properly set flags necessary to support injecting the location of a parameters file (if not others as well)

The template fails to be applied with the following error:

TASK [openshift-applier : Create OpenShift objects based on template with params for 'projectrequest : label-test'] ************************************************************************************************************************************************************
task path: /Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/roles/openshift-applier/tasks/process-template.yml:42
Wednesday 05 September 2018  07:39:02 -0500 (0:00:00.199)       0:00:17.036 *** 
<centos> ESTABLISH DOCKER CONNECTION FOR USER: root
<centos> EXEC ['/usr/local/bin/docker', 'exec', '-i', u'centos', u'/bin/sh', '-c', u"/bin/sh -c 'echo ~ && sleep 0'"]
<centos> EXEC ['/usr/local/bin/docker', 'exec', '-i', u'centos', u'/bin/sh', '-c', u'/bin/sh -c \'( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746 `" && echo ansible-tmp-1536151142.57-171603998071746="` echo /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746 `" ) && sleep 0\'']
Using module_utils file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/module_utils/basic.py
Using module_utils file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/module_utils/_text.py
Using module_utils file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/module_utils/parsing/convert_bool.py
Using module_utils file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/module_utils/parsing/__init__.py
Using module_utils file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/module_utils/pycompat24.py
Using module_utils file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/module_utils/six/__init__.py
Using module file /Users/ablock/.virtualenvs/molecule/lib/python2.7/site-packages/ansible/modules/commands/command.py
<centos> PUT /Users/ablock/.ansible/tmp/ansible-local-25735RQGrZO/tmpKWbSP1 TO /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746/command.py
<centos> EXEC ['/usr/local/bin/docker', 'exec', '-i', u'centos', u'/bin/sh', '-c', u"/bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746/ /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746/command.py && sleep 0'"]
<centos> EXEC ['/usr/local/bin/docker', 'exec', '-i', u'centos', u'/bin/sh', '-c', u"/bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746/command.py && sleep 0'"]
<centos> EXEC ['/usr/local/bin/docker', 'exec', '-i', u'centos', u'/bin/sh', '-c', u"/bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1536151142.57-171603998071746/ > /dev/null 2>&1 && sleep 0'"]
failed: [centos] (item=) => {
    "changed": true, 
    "cmd": "oc process   /Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/tests/inventories/molecule-multi-files-dir/../../files/templates/projectrequest.yml    --ignore-unknown-parameters | oc create  -f - ", 
    "delta": "0:00:00.583179", 
    "end": "2018-09-03 02:09:02.621017", 
    "failed_when_result": true, 
    "invocation": {
        "module_args": {
            "_raw_params": "oc process   /Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/tests/inventories/molecule-multi-files-dir/../../files/templates/projectrequest.yml    --ignore-unknown-parameters | oc create  -f - ", 
            "_uses_shell": true, 
            "argv": null, 
            "chdir": null, 
            "creates": null, 
            "executable": null, 
            "removes": null, 
            "stdin": null, 
            "warn": true
        }
    }, 
    "msg": "non-zero return code", 
    "oc_param_file_item": "", 
    "rc": 1, 
    "start": "2018-09-03 02:09:02.037838", 
    "stderr": "error: invalid argument \"/Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/tests/inventories/molecule-multi-files-dir/../../files/templates/projectrequest.yml\"\nerror: no objects passed to create", 
    "stderr_lines": [
        "error: invalid argument \"/Users/ablock/Projects/RHC/internal/cop/git/openshift-applier/tests/inventories/molecule-multi-files-dir/../../files/templates/projectrequest.yml\"", 
        "error: no objects passed to create"
    ], 
    "stdout": "", 
    "stdout_lines": []
}
fatal: [centos]: FAILED! => {
    "censored": "the output has been hidden due to the fact that 'no_log: true' was specified for this result", 
    "changed": true
}

Appears the latest image is missing git, so inventories that use pre/post steps are failing:

TASK [openshift-applier/roles/openshift-applier : Run ansible-galaxy to pull in dependency roles] **********************************************************************************************************************************************************************************************************************************************
failed: [ci-cd-tooling] (item=/tmp/src/galaxy_requirements.yml) => {"changed": true, "cmd": ["ansible-galaxy", "install", "-r", "/tmp/src/galaxy_requirements.yml", "-p", "/tmp/ansible.EXTHjh/"], "delta": "0:00:00.625567", "end": "2018-04-10 00:15:04.490328", "item": "/tmp/src/galaxy_requirements.yml", "msg": "non-zero return code", "rc": 1, "start": "2018-04-10 00:15:03.864761", "stderr": " [WARNING]: - labs-ci-cd was NOT installed successfully: error executing: git\nclone https://github.com/rht-labs/labs-ci-cd labs-ci-cd\nERROR! - you can use --ignore-errors to skip failed roles and finish processing the list.", "stderr_lines": [" [WARNING]: - labs-ci-cd was NOTinstalled successfully: error executing: git", "clone https://github.com/rht-labs/labs-ci-cd labs-ci-cd", "ERROR! - you can use --ignore-errors to skip failed roles and finish processing the list."], "stdout": "", "stdout_lines": []}

Fedora 29 distributes ansible packages in versions 2.7.1 and 2.6.5, all of them executing Python3 by default. This leads to the following error when using the applier:

[WARNING]: Skipping plugin (.../.openshift-applier/roles/openshift-applier/roles/openshift-applier/filter_plugins/applier-filters.py) as it seems to be invalid: No module named 'urlparse'

As the module name changed between Python2 and Python3 (urlparse -> urllib.parse) a suggestion for a fix to support Python3 interpreters could be:

try:
    from urlparse import urljoin
except ImportError:
    from urllib.parse import urljoin

Check if oc is <= 3.6, if so, set global oc_ignore_unknown_parameters to false

The ansible-galaxy logic in applier appears to assume that it will be run on localhost. When targetting a remote location (e.g. as part of a CASL provisioning run), I get the following error:

 TASK [openshift-applier : Run ansible-galaxy to pull in dependency roles] *****************************************************************************************************************************************
Monday 27 August 2018  20:07:44 +0000 (0:00:00.111)       0:00:04.407 ********* 
failed: [master-0.esauer1.casl-contrib.osp.rht-labs.com] (item=/tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml) => {"changed": true, "cmd": ["ansible-galaxy", "install", "-r", "/tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml", "-p", "/tmp/ansible.pVmL6e/"], "delta": "0:00:00.714876", "end": "2018-08-27 16:07:45.803873", "item": "/tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml", "msg": "non-zero return code", "rc": 1, "start": "2018-08-27 16:07:45.088997", "stderr": "ERROR! Unable to open /tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml: [Errno 2] No such file or directory: u'/tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml'", "stderr_lines": ["ERROR! Unable to open /tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml: [Errno 2] No such file or directory: u'/tmp/src/casl-ansible/inventory/sample.osp.example.com.d/inventory/../files/galaxy_requirements.yml'"], "stdout": "", "stdout_lines": []}

RUNNING HANDLER [openshift-applier : Clean-up temporary dep dir] **************************************************************************************************************************************************
Monday 27 August 2018  20:07:46 +0000 (0:00:02.035)       0:00:06.443 ********* 

PLAY RECAP ********************************************************************************************************************************************************************************************************
master-0.esauer1.casl-contrib.osp.rht-labs.com : ok=4    changed=1    unreachable=0    failed=1   

My suggestion would be as part of the k8s module, but probably could go through being it's own open source module first (or maybe an enhancement to oc_process):

Benefits:

• Full use of Ansible powers
• Import playbooks to compose several pieces (aka bootstrap + tools + anything ... + something else)
• Could be used in combination with things like the helm_module in the future
• directly in playbooks

Current k8s module

# Passing the object definition from a file

- name: Create a Deployment by reading the definition from a local file
  k8s:
    state: present
    src: /testing/deployment.yml

Future k8s module?

- name: Instatiate a Template by reading a template from a local file with params from variables
  k8s:
    state: present
    template: /testing/template.yml
    params: "{{ params_object }}"

- name: Instatiate a Template by reading a template and params from a local files
  k8s:
    state: present
    template: /testing/template.yml
    params: /testing/params.txt

We want to get new users up and running quickly with OpenShift Applier. To that, we want to have a tutorial that begins with the most minimal useful thing that you can run with applier, and slowly builds up (in complexity) and out (in scope). For the first "chapter", we will walk through the Applier equivalent of:

• Logging into OpenShift
• Running oc new-project
• Running oc new-app ...

We should make sure and point out the advantages of this approach, and cite the limitations of oc new-app described in the template guide: http://v1.uncontained.io/playbooks/fundamentals/template_development_guide.html#kickin-it-off-with-some-oc-new-app

The "check-file-location" handling in the openshift applier role is very "expensive" and increases the time used for execution by a lot. This should be replaced with a python filter to help speed up the execution.

do we have an inventory where https://github.com/redhat-cop/openshift-applier/blob/master/roles/openshift-labels is in use as a pre/post task?

Currently, when you specify a template file it requires a params option. It should be possible to apply a template without a params file when no params are required. This is useful for when you want to process a template an accept all of the default parameters or when there are no parameters.

fatal: [localhost]: FAILED! => {"changed": false, "msg": "Template specified, but no params file supplied"}

Moved from: redhat-cop/casl-ansible#223

Example:

- object: Set up Image Builds
  namespace: image-builds
  content:
  - name: Create Image Builds Project
    template: "{{ inventory_dir }}/../templates/project.yml"
    params: "{{ inventory_dir }}/../params/image-management-project"
    template_action: create

@oybed @pabrahamsson

I want to be able to tag images from different namespace and create labels on that new is in my given project. @oybed this links to rht-labs/enablement-docs#236 as discussed there.

After updating to Fedora 29, I am receiving the following error while trying to apply a template with params_from_vars:

The task includes an option with an undefined variable. The error was: 'ansible.utils.unsafe_proxy.AnsibleUnsafeText object' has no attribute 'oc_path'\n\nThe error appears to have been in '/home/jacob/Labs/industry-4.0-demo/bridge/.openshift-applier/roles/openshift-applier/roles/openshift-applier/tasks/process-template.yml': line 66, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"{{ oc_action | capitalize }} OpenShift objects based on template with params for '{{ entry.object}} : {{ content.name | default(template | basename) }}'\"

I have tried with both python2 and python3 with the same error.
Potentially of note is that the Retrieve oc client version step takes 1-2 seconds. Not sure how long it took to complete previously, but it seems like a step that should be nearly instantaneous.

We have the openshift applier pointed at a directory to apply all the items in the directory. One of the definitions in there is a storageclass, which is an immutable object type. The apply action always fails even if there is no change to the storageclass definition(due to changes to storageclasses not being permitted). We had to separate it out to a new folder and do our automation in 2 phases. Could it be beneficial to have the openshift-applier handle these more gracefully? I understand the error if there indeed was a change attempting to be applied but shouldnt fail if the definition is already correct.

The requests call in the openshift-ansible role (https://github.com/redhat-cop/openshift-applier/blob/master/roles/openshift-applier/filter_plugins/applier-filters.py#L53) has proven to be problematic for various reasons, including:

• introduces additional dependency that not all environments have
• can be troublesome validating SSL based URLs

This issue is to track the changes needed to eliminate the need for requests. May want to consider using something like httplib or urllib2 instead. Some potential solutions seen here: https://stackoverflow.com/questions/16778435/python-check-if-website-exists

The documentation for this repo should be consolidated / re-structured and a /docs directory should be used, and referenced from the top level README.

Currently, the openshift-applier supports using a galaxy requirements file to pull in pre/post step roles. This works great, but can be confusing if the roles are kept in the same repo as the inventory used to drive the openshift-applier run. In that case, it would be great if the openshift-applier could support utilizing local roles that exists in the local repo. I.e.: make the applier check locally first, if not found, use the galaxy roles.

I have ran into params file doesn't exist a couple of times. I have built my own Jenkins image which does not require a param file to be used when applying the template. What is the recommended approach to this solution? I just created an empty param file with a comment.

Please add option to define
https://github.com/redhat-cop/openshift-applier/blob/master/roles/openshift-applier/tasks/process-template.yml#L43
to use "no_log" per object.

For secrets applying the only option is to make entire openshift-applier run with "no_log"

Reference to "no_log":
https://docs.ansible.com/ansible/2.6/reference_appendices/faq.html#how-do-i-keep-secret-data-in-my-playbook

Here's my first stab at answering this question...

First off, applier and oc are not equivalent technologies. Applier is a higher level framework that is built on top of oc and is opinionated toward the use of only a few primatives that can be universally used to do essentially anything that you can do in OpenShift and Kubernetes. These primatives are:

• oc apply
• oc create
• oc delete

NOTE: Technically applier allows the use of oc replace in there as well, but we see replace as functionally redundant with apply so we don't include it here.

Applier as a concept

The idea behind applier is that if you are disciplined in only using these primatives to apply yaml or json objects to do things in openshift as opposed to "helper functions" (e.g. oc new-app, oc new-project, oc adm etc.) what you will end up with is an easily repeatable and automatable structure that can be easily version controlled in git and managed as a long term solution.

The openshift-applier is a framework that builds on this concept to provide an ansible inventory syntax that can be used to tie together all of your openshift resource files and templates

How this relates to oc and the ansible modules for openshift

Since openshif-applier relies on oc, we do have an interest in any developments to improve the ansible experience with openshift client tools. Currently though, there are multiple ansible modules for openshift. Some are being developed by the ansible community, others by the openshift community, and they tend to have a lot of overlapping functionalities and many are incomplete. At some point we hope the communities standardize on something and at that point we would look to replace our use of the oc binary with a module that gives us similar functionality.

I'm starting a thread to start to brainstorm/propose how we can go about increasing the adoption of applier, both on the app and ops sides.

Some things on my mind at the moment are:

• An introductory tutorial
• A set of labs/exercises that someone could go through
• A set of links to other resources and repos that use applier

@redhat-cop/casl @redhat-cop/cant-contain-this @redhat-cop/developer-workflow

https://github.com/redhat-cop/openshift-applier/blob/master/roles/openshift-applier/tasks/process-template.yml#L43 always shows as "changed" in Ansible output

Since oc 3.9 the "oc apply" returns information whether is perfoma any change the server or not.
So "changed_when" option can be used by comparing oc_apply stdout.

Actually oc command works via computing patch so it know whether it performs a change on the server - since oc 3.11 (or later) oc apply will be actually happening on the server completely.

References:
https://docs.ansible.com/ansible/2.6/user_guide/playbooks_error_handling.html#overriding-the-changed-result
https://ansibledaily.com/idempotent-shell-command-in-ansible/

I feel like in the context of a repo dedicated to openshift-applier, the name of the default playbook we use playbooks/openshift-cluster-seed.yml is awkward. I think we need to come up with a new convention for the playbooks/ folder, allowing for shorter names and multiple playbooks of various flavors.

To that, I would propose the following change:

mv playbooks/openshift-cluster-seed.yml playbooks/simple.yml
sed -i 's/hosts: seed-hosts/hosts: applier-hosts/' playbooks/simple.yml

For building complex examples where in the real world an inventory might have split ownership across several users and teams, it would be useful to be able to plug in and test those ownership rules with user impersonation.

openshift-applier should support the ability to source from multiple inventories. Currently this is not possible since the openshift cluster content will be overwritten.

ci_cd:
  namespace: psc-ci-cd
  namespace_display_name: blah blah blah

openshift_cluster_content:
- object: projectrequest
  content:
  - name: ci-cd
    template: "https://raw.githubusercontent.com/redhat-cop/cluster-lifecycle/master/files/projectrequest/template.yml"
    template_action: create
    params_from_vars: "{{ ci_cd }}"
    tags:
    - projects

Have applier enumerate the ansible variable ci_cd into params. Where each key (aka namespace) and value (psc-ci-cd) turn into either a temporary param file, or a string, like so NAMESPACE=psc-ci-cd

The oc process command could take it in via that temp file a string like so:

$ oc process -f my-rails-postgresql \
    -p POSTGRESQL_USER=bob \
    -p POSTGRESQL_DATABASE=mydatabase \
    | oc create -f -

These params ansible variables could/would still be stored in a params/ directory, but because they are now ansible vars we can use all the benefits of ansible instead of them being in static formats

Right now, the molecule test only executes one of the tests in the tests area. It should be updated to automatically pick up all tests in that area and execute them.

Consider utilizing the git-flow wiki for this repo:
https://github.com/redhat-cop/git-flow/wiki

In it's current state, the openshift-applier requires Ansible >=2.5 (due to an Ansible bug in earlier versions). A check should be made up front to ensure minimum Ansible version is met before allowing the execution.

This is a copy of rht-labs/labs-ci-cd#196.

@bit4man

TASK [openshift-applier/roles/openshift-applier : Create OpenShift objects based on template with params for 'projectrequest : ci-cd'] **********************************************************************
fatal: [projects-and-policies]: FAILED! => {"changed": true, "cmd": "oc process --local -f https://raw.githubusercontent.com/redhat-cop/cluster-lifecycle/v3.9.0/files/projectrequest/template.yml --param-file=/tmp/src/params/projectrequests/ci-cd | oc create -f - ", "delta": "0:00:01.311313", "end": "2018-06-20 00:51:09.078042", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2018-06-20 00:51:07.766729", "stderr": "Unable to connect to the server: dial tcp: lookup ose39-master1.rhdemo.net on 8.8.8.8:53: no such host", "stderr_lines": ["Unable to connect to the server: dial tcp: lookup ose39-master1.rhdemo.net on 8.8.8.8:53: no such host"], "stdout": "", "stdout_lines": []}

The DNS server that responds is a local DNS server, this dnsmasq instance is only listening to a virtual network address - localhost is not one of them. So a direct resolve only works when run from within the VM. The hosts are all in the /etc/hosts file which dnsmasq translates into dns entries - but from the host itself, that isn't happening.

Not sure where the 8.8.8.8 comes from - not using that here. But I can get past this issue by ensuring I run "run.sh" from a host that can use dns to resolve the master address.

As portions of the inventory used with the openshift-applier is being deprecated (and eventually removed), the role should error out if an old inventory is utilized to alter the user about the "mistake".

I'm opening this as a discussion thread around how we might be able to take the best of both the params and params_from_vars feature.

The idea scenario is that we could declare something like:

  - name: Create Secrets with params_from_vars
    template: "{{ inventory_dir }}/../../files/secrets/template1.yml"
    params: "{{ inventory_dir }}/../../params/param.file"
    params_from_vars: "{{ secret_params }}"
    namespace: oa-ci-secret1

And have the static file act as a set of defaults, with the ability to overwrite them with arguments or parameters from a vars file.

The newly introduced pre-checks for ansible/oc versions can at times cause problems, and it should be possible to override these checks in situations where the user knows "better", or otherwise wants to try something.

What is the recommended way of passing Template params when running the playbook? I.e. at playbook execution time.

Currently you can specify Template parameters in the ...-params file pointed to by the params property in inventory/group_vars/all.yml. So using the example below:

---
openshift_cluster_content:
- object: projectrequest
  content:
  - name: test
    template: "{{ inventory_dir }}/../files/projects/test-template.yml"
    params: "{{ inventory_dir }}/../files/projects/test-params"

{{ inventory_dir }}/../files/projects/test-params can contain my Template parameters to be used when processing the Template.

How could you allow for specifying parameters when running the playbook?
I.e. when running from the command line or even via AWX/Tower, how could you add any required parameters or even replace existing parameters in {{ inventory_dir }}/../files/projects/test-params?

When the newly introduced params_from_vars is set in the inventory, it means that no template processing is done if the entry in the inventory also have the params set. Note params_from_vars applies "globally" across all templates, not just one specific one like the params does and hence may result in skipping many templates if params_from_vars is set.

So this is likely an issue on my own machine (Mac OS X 10.13) having an older version of sed installed by default. I'm getting the following syntax error during the new pre-check.yml task:

TASK [openshift-applier/roles/openshift-applier : Check applier requirements] ***************************************************************
fatal: [build]: FAILED! => {"reason": "Syntax Error while loading YAML.\n  found unknown escape character\n\nThe error appears to have been in '/Users/.../.openshift/roles/openshift-applier/roles/openshift-applier/tasks/pre-check.yml': line 10, column 41, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n- name:  \"Determine oc version\"\n  shell: \"oc version | sed -ne 's/^oc v*\\(.*\\)+.*$/\\1/p'\"\n                                        ^ here\n"}

https://github.com/redhat-cop/openshift-applier/blob/master/roles/openshift-applier/tasks/pre-check.yml#L10

I was able to install gnu-sed via homebrew (brew install --with-default-names gnu-sed), which brought the version up to 4.5. However, I'm still running into the syntax error. See general setup below:

$ which oc
/usr/local/bin/oc
$ oc version
oc v3.9.14
kubernetes v1.9.1+a0ce1bc657
features: Basic-Auth
$ bash -c "oc version | sed -ne 's/^oc v*\(.*\)+.*$/\1/p'"
<no output>

Removing the escape characters for the version capture group AND double-escaping the backslash for the print section of the command as well as adding the -r option to sed command allowed it to work. I only tested this on my Mac as well as a RHEL machine so not sure how portable this is.

# Mac OSX with gnu-sed
$ bash -c "oc version | sed -rne 's/^oc v*(.*)+.*$/\\1/p'"
3.9.14

# Mac OSX without gnu-sed
$ bash -c "oc version | sed -rne 's/^oc v*(.*)+.*$/\\1/p'"
sed: illegal option -- r

# RHEL
$ bash -c "oc version | sed -rne 's/^oc v*(.*)+.*$/\\1/p'"
3.6.1+008f2d5

# RHEL w/ oc 3.9
$ bash -c "oc version | sed -rne 's/^oc v*(.*)+.*$/\\1/p'"
3.9.14